Computer Stuff

to Vista or not to Vista… That seems to be the question…

by on Mar.22, 2008, under Windows Info

You know, the only 2 problems that I have with Vista right now, is that certain features of hacking programs requiring raw open sockets don’t work. (for instance, Nmap cannot send a half-open SYN scan packet out through the Ethernet adapter because it’s stopped by the OS.) I’m sure that that’s considered a feature, it stops the bad guys from doing lots of undesirable things, but it also stops me from finding those holes. It could be argued that these features will no longer be needed due to improvements in the default security stance of their new OSs, but as long as there are 2000 and XP machines out there, I *need* this functionality. It may be possible to allow this behavior through registry-hack or otherwise, but it hasn’t been a pressing enough issue for me to worry about, yet.

The other problem that I have is the forced hardware forklift-upgrade. You really cannot just upgrade your existing machines to use with Vista. This seems to be consistently problematic, and that the best course of action for users would be to purchase new hardware specifically for running Vista.  On a recent implementation, all workstations were bought specifically with running Vista in mind, and all machines behaved perfectly during the migration to a new Active Directory running on SBS 2003 R2. The new “File and Settings Transfer Wizard” is called “Windows Easy transfer” and it works *PERFECTLY*. A HUGE improvement over FSTW.

I’m running 64-bit Vista Ultimate on a Lenovo T61 [T7100] 1.8gHz dual-core with 2Gb of RAM with a 74gb hard disk with Office 2007 Enterprise.It runs *significantly* faster than the 32-bit version on this same hardware. (Even though most programs installed run in 32-bit emulation mode, I don’t really notice)My Windows Experience Index is only a 3.5, but that’s just enough to enable all of the extra eye-candy (Aero and Glass), and run it well enough for an impatient user such as myself. I’ve learned to make shortcuts for myself so that connecting to a customer VPN is not so tedious.There is a hardware assessment tool for testing existing workstations for upgrade to Vista. It’s called the Vista Upgrade Advisor.You can download it here:http://www.microsoft.com/downloads/details.aspx?FamilyId=42B5AC83-C24F-4863-A389-3FFC194924F8&displaylang=en

Run it on your workstations, if you get a Windows Experience Index of 3.5 or better, I say do it.If you are an end-user, and you can’t run Aero and Glass, there’s no real reason to upgrade to it.If you are an administrator, you want *everyone* running Vista for the granular control it gives over your client workstations using Group Policy.. The newly added GPO templates and Local Security Policy settings are a *must-have* for any tightly controlled LAN environment.

So there.. I said it.. I like Vista (64-bit).. I’m still not gonna replace my OpenBSD+Postfix mail server with it. ;)

Brian

Advertisement
Leave a Comment : more...

Configuring a Cisco PIX 501

by on Jun.28, 2007, under Networking

If you’re using Windows 2000 (service pack 4 and higher), HyperTerminal is included. To access it, go to Start > Programs > Accessories > Communications, and click the HyperTerminal icon. When the program starts, type in “PIX.” At the bottom of the box, select COM 1. In Properties, select 9600 bits per second; data bits: 8; parity: none; stop bits: 1; and flow control: none.

If you’re using the console to configure your PIX for the first time, you should see a message that says:

Pre-configure PIX Firewall now

through interactive prompts? [yes]?

Hit the Control-Z keys, and you’ll see the prompt. The “>” sign tells you that you’re in unprivileged mode, and that you can only view your current configuration. In order to change settings, you’ll have to switch to privileged mode. To do this, type “en” at the prompt. (You’ll see the hash symbol “#” when you’re in privileged mode.) It should look like this:

pixfirewall#

Wait a second: We haven’t entered a password yet. To do this, hit Return again to get to the prompt and enter a password.

Configuration Time

Because your router is “out of the box,” it has no default configuration. It doesn’t know its place in the universe, nor does it know what type of traffic you’d like it to forward or restrict. To tell it these things, we’ll go into “configure terminal” mode (or “conf t” for short). At the prompt, enter:

pixFirewall#config t

Now the prompt should look like this:

pixFirewall (config)#

The router, on the other hand, has no configuration (because we cancelled out of the setup). Any time you’d like to see the configuration, type the following at the command prompt:

pixFirewall(config)# wr t 

You should see it spit out something like the following:

PIX Version 6.3(3)
interface ethernet0 auto shutdown
interface ethernet1 100full shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<— More —>

Hit the space bar to continue, and you should see:

pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no -server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
[OK]
pixfirewall(config)#

Assigning a Password

Fresh out of the box, a PIX firewall doesn’t have a password, so let’s assign one now. Type “enable password” and then enter a password. In our example, we’ll use the word “techst0ck.”

pixFirewall(config)# enable password techst0ck

Now we’ll bring up those two interfaces, as out of the box, they’re down.

pixFirewall(config)# interface ethernet0 auto
pixFirewall(config)# interface ethernet1 100full

You can see the status of these interfaces by typing:

pixFirewall(config)# show interfaces

That command will give you this:

interface ethernet0 “outside” is up, line protocol is up
Hardware is i82559 ethernet, address is 0011.92c5.6b92
MTU 1500 bytes, BW 100000 Kbit full duplex
28354 packets input, 2040341 bytes, 0 no buffer
Received 28383 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/0) software (0/0)
interface ethernet1 “inside” is up, line protocol is up
Hardware is i82559 ethernet, address is 0011.92c5.6b94
MTU 1500 bytes, BW 100000 Kbit full duplex
246 packets input, 29521 bytes, 0 no buffer
Received 246 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks):
hardware (128/128) software
(0/1) output queue (curr/max blocks):
hardware (0/0) software (0/0)

Now that the interfaces are up, it’s time to assign both an inside and an outside IP address. It is between these two addresses that your PIX will permit or deny traffic, so if this step isn’t done correctly, traffic cannot come in or leave your network correctly.

Let’s assume you assign your outside address dynamically (for instance, your ISP automatically assigns you an IP address). To let your ISP autoassign one, type:

pixfirewall(config)# ip address outside dhcp

If there is a DHCP server upstream from you that is properly configured to lease you an IP address, you’ll get a message similar to this one:

Allocated IP address =12.110.110.91, netmask =255.255.252.0, gateway = 12.110.110.1

If this doesn’t work, then you’ll need to manually assign your IP address on ethernet0. If your ISP told you your IP address is, say, 12.110.110.91/24, then you’d type in this:

pixFirewall(config)# ip address
outside 12.110.110.91
255.255.255.0

Once you’ve finished, you’ll need to set the IP addresses of the inside (ethernet1) interface as well.

pixFirewall(config)# ip address inside 10.1.1.1 255.255.255.0

The 10.x.y.z address we choose is a private IP address (also called a non-routable IP). We could’ve a chosen a wide range of IP addresses (10.0.0.0 through 10.255.255.255; 172.16.0.0 through 172.31.255.255; or 192.168.0.0 through 192.168.255.255), but we arbitrarily chose 10.1.1.0.24.

If everything goes according to plan, type:

pixFirewall(config)# show ip address

You’ll get something like this:

System IP Addresses:
ip address outside 12.110.110.91
255.255.252.0
ip address inside 10.1.1.1
255.255.255.0
Current IP Addresses:
ip address outside 12.110.110.91
255.255.252.0
ip address inside 10.1.1.1
255.255.255.0

Ethernet Considerations

In order for our inside (Ethernet1) and outside (Ethernet0) interfaces to work, they need to be configured properly with global addresses, NAT (network address translation), and routing. Without these, your PIX is just a box with two IP addresses and no way to translate inbound traffic to your public IP or public traffic to your internal addresses.

The PIX 501 is the smallest model from Cisco, so we’ll assume that your network isn’t too large. In this example, we’re only going to NAT your one public IP. Theoretically, you can NAT 254, although you’re limited to 10 devices unless you buy an upgrade license.

If you use DHCP, then you’ll need to configure the PIX to route outgoing traffic. Since it’s DHCP, we don’t really know where that is, as our ISP may very well decide to change our IP address without telling us. In this case, we’ll need to type in the following line:

pixfirewall(config)# ip address
outside dhcp setroute

If all went well, you should see something like this:

Allocated IP address =
12.110.110.91, netmask =
255.255.252.0, gateway =
>12.110.110.1

If all didn’t go as planned, you’ll have to manually add your route:

pixFirewall(config)# route outside
0.0.0.0 0.0.0.0 12.110.110.1

To double-check that route, type:

pixFirewall(config)# sh route

And, in the case of our first DHCP example, you should get something similar to the following:

pixfirewall(config)# sh route
outside 0.0.0.0 0.0.0.0
12.110.110.1 1 DHCP static
outside 12.110.110.0
255.255.252.0 66.215.246.91 1
CONNECT static
inside 10.1.1.0 255.255.255.0
10.1.1.1 1 CONNECT static

Now that the PIX knows what to do with outgoing traffic (send it upstream to another router), we now need to give it specific instructions on how to translate traffic between the two interfaces. Use this command to make that happen:pixfirewall(config)# nat (inside) 1
10.1.1.0 255.255.255.0

pixfirewall(config)# global
(outside) 1 interface

If you did this correctly, the second line will give the message:

outside interface address added to PAT pool

Now your PIX has been configured to translate traffic between your public (12.110.110.91) address and your private 10.1.1.0/24 network. The only thing left now is to configure the DHCP server on the internal interface. Doing so will allow the PIX to automatically assign IP addresses to those on your network; similar to the way an ISP automatically assigns IPs to its users. To do this, follow these instructions:

pixfirewall(config)# dhcpd address 10.1.1.32-10.1.1.63 inside
pixfirewall(config)# dhcpd dns 4.2.2.1 4.2.2.2
pixfirewall(config)# dhcpd lease 3600
pixfirewall(config)# dhcpd ping_timeout 750
pixfirewall(config)# dhcpd enable inside

One note on the DHCP server configuration above is that you may have to obtain DNS numbers from your provider. If you don’t have those numbers readily available or aren’t sure what to do, you can use 4.2.2.1 and 4.2.2.2. The only problem is that these numbers might not quickly resolve your Web pages as your own ISP, so you should consider using numbers your ISP provides.

If all has gone well up to this point, computers that are plugged into the back of your PIX (in slots 1 through 4) should have no problem getting on the Internet. In fact, if you go to any of these computers and (assuming you’re running Windows 2000 or Windows XP) go to Start>Run and type “cmd,” you can test the connection. At the prompt, type:

C:ipconfig

Your IP address, which should lie somewhere between 10.1.1.32 and 10.1.1.63, should be displayed if your network settings were configured to obtain an IP automatically. If an IP address showed up, type:

C:ping 10.1.1.1

And you should get a response similar to this:

Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Saving Your Configuration to Memory

If all went well, and your DNS is properly working, you should be able to open your browser and surf the Internet as usual. If that’s the case, let’s proceed to saving the running configuration to memory.

pixFirewall(config)# wr m
Building configuration…
Cryptochecksum: 2083012d dc56002e ebb9e5d3 f405a373
[OK]

Security Considerations

At this point, the question often arises, “How secure am I?” The answer: Not nearly as secure as you’ll ultimately want to be. Thanks to Cisco’s Adaptive Security Algorithm ( ASA), the firewall settings are similar to the default settings of a home Linksys or Netgear router: All outbound traffic is permitted (unless expressly prohibited), and all inbound traffic is denied (unless expressly permitted). Your network will no doubt need much more security than this, so you will need to either read through Cisco’s documentation or hire a networking consultant.

If you’re curious about Cisco’s ASA settings, type in “wr t” from the command line and you’ll see something like this:

Building configuration…
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

In the end, the “security0” and “security100” both specify the security level of each interface. Cisco’s ASA allows traffic to pass from trusted (100) to untrusted (0), but not the reverse. With our configuration, internal traffic can pass freely to the outside because its security level is higher.If you host a Web server, and most, if not all, of your traffic is coming from the outside, how do you let that traffic in? The answer lies with Cisco’s use of Access Control Lists (ACLs). An in-depth look at how ACLs work is beyond the scope of this article, but Cisco’s Using PIX Firewall Commands can help you configure the firewall. And if you’re really stuck, consider hiring a professional network administrator.

At best, poorly configured ACLs can mean sporadic connectivity; at worst, it can mean huge security breaches in your network. What’s especially dangerous for new network administrators is the temptation to do things a certain way because “it works.” In a desperate effort to make things work, they often create ACLs that are too permissive, leaving open big holes for malicious hackers or crackers to exploit.

Advertisement
Leave a Comment : more...

Configuring subdomains on IIS

by on Oct.30, 2006, under Windows Info

Configuring the web server for subdomains
Once the DNS server is setup to send the request for the subdomain to the corresponding IP address, the work of the web server begins. The web server needs to be configured appropriately to handle the request for the subdomain based on either the IP address or the host header entry. Host headers are commonly used by web servers to host multiple domains or subdomains on one IP address.

Microsoft Windows IIS : In case of Internet Information Server (IIS), create a new web site for the subdomain using the IIS Manager, and add the subdomain (e.g. subdomain.domain.com) as a new host header value listening to the same IP address as specified in the DNS entry. The port is set to 80 (the default for http requests). The host header can be added by clicking on the advanced tab next to the IP address configuration for that web site application. If the subdomain points to a subdirectory of the web site for the domain, then set the home directory for the subdomain web site to the subdirectory. For example, if the domain.com points to C:Inetpubwwwroot and the subdomain needs to be setup for C:Inetpubwwwrootsubdomain, then the directory for the subdomain website should be set to C:Inetpubwwwrootsubdomain.

Advertisement
Leave a Comment : more...

Repairing WMI on Windows XP/2003

by on Jun.14, 2006, under Windows Info

If WMI is broken, how can it be fixed? The only Microsoft-endorsed way to repair WMI is to reinstall Windows. But for most of us, that isn’t a practical approach. Another method is to force WMI to repair itself. Of all the WMI repair techniques I’ve seen, this five-step approach seems to work the best. (However, it may not work on all systems.)

1. At the command line, type net stop winmgmt. You may get a warning that other services need to be stopped as well; type Y and continue.
2. Open Explorer and go to %SystemRoot%System32WBEMRepository.
3. Delete that folder and everything in it.
4. Reboot the system normally.
5. On the next login, open a command prompt and type the following commands in this order:
winmgmt /clearadap
winmgmt /kill
winmgmt /unregserver
winmgmt /regserver
winmgmt /resyncperf

This procedure will force the WINMGMT service to re-register itself as well, although, if WMI is damaged, re-registering can be a problem. If this approach does not work, an in-place upgrade (i.e., a reinstall) might be required.

Leave a Comment :, more...

Lock down your Mac (even during a re-boot)

by on Apr.27, 2006, under Mac OSX

Procedure for Enabling Open Firmware Password Protection
(written by CodeSamurai at SecureMac.com)


Enabling Open Firmware Password Protection

1) Boot into the Open Firmware. (Command + Option + O + F)

2) At the command prompt, type “password” (without the quotes, of course). You will be prompted to enter in the password you wish to use. Type your password, press the return key, retype your password again, and press return to verify that that the first password you typed is indeed the password you want. (Note: the password is stored in the “security-password” variable, but the contents of this variable is never shown via the “printenv” command.)

3) Type “setenv security-mode full” OR “setenv security-mode command” OR “setenv security-mode none”, depending on which level of security you wish.

4) Then type “reset-all” to restart the computer.

Disabling Password Protection

1) Boot into the Open Firmware. (Command + Option + O + F)

2) Type “setenv security-mode none” and press return.

3) Enter in the password at the password request prompt and press return.

4) Then type “reset-all” to restart the computer.

Force Removing Password Protection

1) Add or remove DIMMs to change the total amount of RAM in the computer.

2) Then, the PRAM must be reset 3 times. (Command + Option + P + R).

Leave a Comment : more...

Asterisk@Home 2.5 is an *Excellent* release

by on Feb.08, 2006, under Linux

While I downloaded Asterisk@Home-2.5, I assembled the machine that was to run it. It’s an old Compaq Deskpro PIII 450, with 256mb of PC100 RAM and a 6gb drive. A modest workstation at best. We’ll see how it goes…

Installing the operating system (CentOS 4) took around an hour, and went very smoothly.
Installing Asterisk took *considerably* longer, as everything is auto-configured and built from source.
However, in spite of seeing some errors fly by, and prompts to change passwords fly by, everything seemed to build, install, and succeed. For such a long build and install process, it’s impressive that it worked without any real help.
It automatically found and configured my cheap WildCard X100P clone, and prompted me to change my passwords. Upon reboot, everything seemed to work fine until I used “yum” to update CentOS. Upon rebooting after the yum updates, it kernel panicked and froze. Fun. *dammit*

Upon closer inspection, yum updated udev and obliterated the zaptel modules.
So, I cd’d to /usr/src/zaptel, and re-built and re-installed like so:

# cd /usr/src/zaptel
# make && make install && make install-udev
# shutdown -r now

When the system came back, everything was fixed and functional.
The web interfaces are intuitive, (although I would like to see a single admin login for all web interfaces)
and the CDR reporting features are great. There is a mailbox-like web interface from which your users can check and listen to their voicemail, An awesome graphical interface to the trunks, as well as direct access to editing the config files by hand.
The following phones registered on the first try:

  • sipura SPA-841 with a Linksys wireless G bridge
  • snom 190
  • xten-lite for MacOS X
  • Grandstream Budgetone

You really should be downloading this already…

Leave a Comment :, , more...

OpenBSD pf and Voice over IP

by on Feb.08, 2006, under OpenBSD

Background
In a typical home network, a NAT device hides a number of internal devices behind a single globally addressable IP address within the network provider’s IP space. While VOIP is readily available to end consumers via the SIP protocol, SIP isn’t directly usable behind a NAT device.

Most VOIP providers utilize what is called a “media proxy”, a set of servers that exist to assist with this issue by redirecting media streams from consumers to the VOIP provider’s SIP servers. This workaround introduces two problems: The media proxies need to have ample bandwidth and low latency, but also end up disallowing more than one SIP device per customer IP address.

To allow for a home network based multi-line multi-device SIP setup, media proxy use is not possible. Instead, the home network NAT device should be configured to redirect SIP control and media streams to the appropriate IP phones within the home network. Packet filter from OpenBSD can fulfill that role. You could also run a local PBX or SIP router, but that solution adds moving parts and is beyond the scope of this note.

Phone configuration
This configuration has been tested with the Cisco 7960 phone.

Do not use NAT proxy or outbound_proxy. Define each call appearance with its distinct SIP proxy information, and the same control port of 5060/udp can be used for all. The STUN phone feature should be enabled, although some commercial SIP proxies can function without it.
pf Configuration
pf(4) uses /etc/pf.conf as its configuration file. Here is a basic subset of a ruleset that also uses ALTQ to guarantee bandwidth to the voice uplink, since upload bandwidth is usually restricted.

While packet queueing is not always necessary, the occasional voice quality degradation associated with link bandwidth being unavailable is undesirable. It is a very useful capability to have at your disposal and allows for reliable, superior to PSTN voice quality.

# Return error codes for ports that are blocked. Allows faster error recovery
set block-policy return

# udp session timeout should be equal to or larger than your smallest SIP registration
# timer timeout. For a typical SIP timeout of 300 seconds, this should suffice.
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

# definitions
int_if = "fxp0"
ext_if = "fxp1"
int_net = "192.168.1.0/24"
ipphone1 = "192.168.1.18"
ipphone2 = "192.168.1.19"

# enable CBQ queueing on the external interface. Define 3 queues
altq on $ext_if cbq bandwidth 1000Kb queue { q_voice, q_pri, q_std }
queue q_voice bandwidth 192Kb priority 7 cbq(borrow)
queue q_pri bandwidth 50% priority 6 cbq(borrow)
queue q_std bandwidth 80% priority 1 cbq(default borrow)

# One translation line per IP phone. static-port is necessary to make pf retain the UDP
# ephemeral port, so that the remote SIP proxy knows what session we belong to
nat on $ext_if proto udp from $ipphone1 to any -> ($ext_if) static-port
nat on $ext_if proto udp from $ipphone2 to any -> ($ext_if) static-port

# Generic NAT rule for all internal network devices
nat on $ext_if from $int_net to any -> ($ext_if)

# Allow external SIP control traffic
pass in quick on $ext_if proto udp from any to any port 5060 keep state

# Allow media traffic, place in voice queue (guaranteed b/w)
# This assumes standard media stream configuration with a Cisco IP phone. Modify as
# necessary.
pass out quick on $ext_if proto udp from $ext_if to any port 16384:32768
tos 0xb8 queue q_voice keep state

# Outgoing traffic creates state entries
pass out quick on $ext_if proto { tcp, udp, icmp } all keep state

block in log all

Troubleshooting and verification
To verify that the implementation works as expected, a media stream should be setup from the internal network, NATted and forwarded to the external SIP gateway. Source and destination ports for control traffic (destination port 5060) and media traffic (varies) should remain unchanged by the gateway. Now, your phones should work

To verify correct packet prioritization, saturate the uplink with a large upload and attempt to use the IP phone at the same time. The IP phone traffic should get mapped to the high priority queue and voice quality should be good at the remote end. Because of ample download bandwidth, queueing is usually not needed and regular packet forwarding is sufficient.

  • Check status of queues: pfctl -s queue -v
  • Flush state table: pfctl -F state (queue tagging persists with state entries)
  • Check firewall rule hit count: pfctl -s rules -v
2 Comments : more...

OpenSSL certificate conversion PKCS#12 PEM

by on Feb.04, 2006, under OpenBSD

Convert a certificate from PEM format (.pem) to PKCS12 format (.p12)

To use a certificate for authentication or for encryption/decryption, you have to import it into your program’s certificate manager. The program could be a web browser, email client, or even something like a hard-coded encryption/decryption routine run from a script. Different programs, browsers, and mail clients require this certificate in differing formats. At some point, you will need to convert a certificate, unles you *love* spending all of your extra cash on commercial certificates.
Here’s the openssl command to convert your certificate from a PEM format to a PKCS12 format:

$ openssl pkcs12 -export
-out <em>file_name.p12</em>
-name "<em>My certificate</em>"
-inkey ~/.ssl/userkey.pem
-in ~/.ssl/usercert.pem

## Options Explanation ##
-out : The filename of your new certificate file in PKCS12 format.
-name : An arbitrary text name to differentiate this certificate from others.
-inkey : The path and the name of the file containing your private key
-in : The path and the name of the file containing your certificate.

Convert a certificate from PKCS12 format (.p12) to PEM format (.pem)

  • To export just your private key to ~/.ssl/userkey.pem

    $ openssl pkcs12 -nocerts -in cert.p12 -out ~/.ssl/userkey.pem

  • To export only your certificate to ~/.ssl/usercert.pem

    $ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.ssl/usercert.pem

-in cert.p12 : the path and filename of your certificate in PKCS12 format.

Change the passphrase of the private key

$ openssl rsa -in ~/.ssl/userkey.pem -des3

Where ~/.ssl/userkey.pem is your private key
The openssl command will prompt for:
1. your old password
2. your new password
3. verification of your new password

Leave a Comment : more...

Vapor-worm Day..

by on Feb.01, 2006, under Windows Info

KamaSutra/Blackworm Disinfection Utility*

F-Secure Corporation provides the special disinfection utility to clean Nyxem.e infection from a computer. This disinfection utility is called F-Force and it can be downloaded from F-Secure’s web and ftp sites:

ftp://ftp.f-secure.com/anti-virus/tools/f-force.zip
http://www.f-secure.com/tools/f-force.zip

The utility is distributed only in a ZIP archive that contains the following files:

  • f-force.exe – the main executable file
  • eult.rtf – End User License Terms document
  • readme.rtf – Readme file in RTF format
  • readme.txt – Readme file in ASCII format

To unpack the archive please use the WinZip or similar archiver.

IMPORTANT! Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!

The F-Force utility needs the archive with the latest updates in order to function properly. The archive’s name is LATEST.ZIP and it should be downloaded and put into the same folder where the F-Force utility is located. This archive with the latest updates can be downloaded from these locations:

http://download.f-secure.com/latest/latest.zip
ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip

Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.

A trial version of F-Secure Anti-Virus and the latest updates can be downloaded from F-Secure’s website:

http://www.f-secure.com/download-purchase/list.shtml
http://www.f-secure.com/download-purchase/updates.shtml
* taken from f-secure.com

Leave a Comment : more...

Seamonkey 1.0 Released!

by on Jan.31, 2006, under Windows Info

For those of you that really missed Netscape Communicator, this will be a welcome addition to your arsenal. Seamonkey 1.0 has it all, a web browser, advanced e-mail and newsgroup client, IRC chat client, and HTML editing made simple — all your Internet needs in one application. Basically, all the great tools Communicator had, with some new bells and whistles from the fine folks at Mozilla.org. You can get your copy here.

Leave a Comment :, more...


Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

CryptedNets is proudly powered by

Entries (RSS) and Comments (RSS)
- Login

Visit our friends!

A few highly recommended friends...